cvelistv5 - cve-2025-59154

CVE-2025-59154 (GCVE-0-2025-59154)

Vulnerability from cvelistv5 – Published: 2025-09-15 20:03 – Updated: 2025-09-15 20:11

Summary

Openfire is an XMPP server licensed under the Open Source Apache License. Openfire’s SASL EXTERNAL mechanism for client TLS authentication contains a vulnerability in how it extracts user identities from X.509 certificates. Instead of parsing the structured ASN.1 data, the code calls X509Certificate.getSubjectDN().getName() and applies a regex to look for CN=. This method produces a provider-dependent string that does not escape special characters. In SunJSSE (sun.security.x509.X500Name), for example, commas and equals signs inside attribute values are not escaped. As a result, a malicious certificate can embed CN= inside another attribute value (e.g. OU="CN=admin,"). The regex will incorrectly interpret this as a legitimate Common Name and extract admin. If SASL EXTERNAL is enabled and configured to map CNs to user accounts, this allows the attacker to impersonate another user. The fix is included in Openfire 5.0.2 and 5.1.0.

Severity ?

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-290 - Authentication Bypass by Spoofing

Assigner

GitHub_M

References

URL

Tags

	https://github.com/igniterealtime/Openfire/securi…	x_refsource_CONFIRM
	https://github.com/igniterealtime/Openfire/blob/8…	x_refsource_MISC
	https://igniterealtime.atlassian.net/browse/OF-3122	x_refsource_MISC
	https://igniterealtime.atlassian.net/browse/OF-3123	x_refsource_MISC
	https://igniterealtime.atlassian.net/browse/OF-3124	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	igniterealtime	Openfire	Affected: < 5.0.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-59154",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-15T20:11:37.246059Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-15T20:11:46.822Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Openfire",
          "vendor": "igniterealtime",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 5.0.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Openfire is an XMPP server licensed under the Open Source Apache License. Openfire\u2019s SASL EXTERNAL mechanism for client TLS authentication contains a vulnerability in how it extracts user identities from X.509 certificates. Instead of parsing the structured ASN.1 data, the code calls X509Certificate.getSubjectDN().getName() and applies a regex to look for CN=. This method produces a provider-dependent string that does not escape special characters. In SunJSSE (sun.security.x509.X500Name), for example, commas and equals signs inside attribute values are not escaped. As a result, a malicious certificate can embed CN= inside another attribute value (e.g. OU=\"CN=admin,\"). The regex will incorrectly interpret this as a legitimate Common Name and extract admin. If SASL EXTERNAL is enabled and configured to map CNs to user accounts, this allows the attacker to impersonate another user. The fix is included in Openfire 5.0.2 and 5.1.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-290",
              "description": "CWE-290: Authentication Bypass by Spoofing",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-15T20:03:34.341Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/igniterealtime/Openfire/security/advisories/GHSA-w252-645g-87mp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/igniterealtime/Openfire/security/advisories/GHSA-w252-645g-87mp"
        },
        {
          "name": "https://github.com/igniterealtime/Openfire/blob/8d073dda36905da0fdee7cb623c025a01a5cbf6b/xmppserver/src/main/java/org/jivesoftware/util/cert/CNCertificateIdentityMapping.java#L43",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/igniterealtime/Openfire/blob/8d073dda36905da0fdee7cb623c025a01a5cbf6b/xmppserver/src/main/java/org/jivesoftware/util/cert/CNCertificateIdentityMapping.java#L43"
        },
        {
          "name": "https://igniterealtime.atlassian.net/browse/OF-3122",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://igniterealtime.atlassian.net/browse/OF-3122"
        },
        {
          "name": "https://igniterealtime.atlassian.net/browse/OF-3123",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://igniterealtime.atlassian.net/browse/OF-3123"
        },
        {
          "name": "https://igniterealtime.atlassian.net/browse/OF-3124",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://igniterealtime.atlassian.net/browse/OF-3124"
        }
      ],
      "source": {
        "advisory": "GHSA-w252-645g-87mp",
        "discovery": "UNKNOWN"
      },
      "title": "Openfire allows potential identity spoofing via unsafe CN parsing"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-59154",
    "datePublished": "2025-09-15T20:03:34.341Z",
    "dateReserved": "2025-09-09T15:23:16.327Z",
    "dateUpdated": "2025-09-15T20:11:46.822Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-59154\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-09-15T20:15:39.237\",\"lastModified\":\"2025-09-16T12:49:16.060\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Openfire is an XMPP server licensed under the Open Source Apache License. Openfire\u2019s SASL EXTERNAL mechanism for client TLS authentication contains a vulnerability in how it extracts user identities from X.509 certificates. Instead of parsing the structured ASN.1 data, the code calls X509Certificate.getSubjectDN().getName() and applies a regex to look for CN=. This method produces a provider-dependent string that does not escape special characters. In SunJSSE (sun.security.x509.X500Name), for example, commas and equals signs inside attribute values are not escaped. As a result, a malicious certificate can embed CN= inside another attribute value (e.g. OU=\\\"CN=admin,\\\"). The regex will incorrectly interpret this as a legitimate Common Name and extract admin. If SASL EXTERNAL is enabled and configured to map CNs to user accounts, this allows the attacker to impersonate another user. The fix is included in Openfire 5.0.2 and 5.1.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":0.7,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-290\"}]}],\"references\":[{\"url\":\"https://github.com/igniterealtime/Openfire/blob/8d073dda36905da0fdee7cb623c025a01a5cbf6b/xmppserver/src/main/java/org/jivesoftware/util/cert/CNCertificateIdentityMapping.java#L43\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/igniterealtime/Openfire/security/advisories/GHSA-w252-645g-87mp\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://igniterealtime.atlassian.net/browse/OF-3122\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://igniterealtime.atlassian.net/browse/OF-3123\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://igniterealtime.atlassian.net/browse/OF-3124\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-59154\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-09-15T20:11:37.246059Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-09-15T20:11:40.859Z\"}}], \"cna\": {\"title\": \"Openfire allows potential identity spoofing via unsafe CN parsing\", \"source\": {\"advisory\": \"GHSA-w252-645g-87mp\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"igniterealtime\", \"product\": \"Openfire\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 5.0.2\"}]}], \"references\": [{\"url\": \"https://github.com/igniterealtime/Openfire/security/advisories/GHSA-w252-645g-87mp\", \"name\": \"https://github.com/igniterealtime/Openfire/security/advisories/GHSA-w252-645g-87mp\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/igniterealtime/Openfire/blob/8d073dda36905da0fdee7cb623c025a01a5cbf6b/xmppserver/src/main/java/org/jivesoftware/util/cert/CNCertificateIdentityMapping.java#L43\", \"name\": \"https://github.com/igniterealtime/Openfire/blob/8d073dda36905da0fdee7cb623c025a01a5cbf6b/xmppserver/src/main/java/org/jivesoftware/util/cert/CNCertificateIdentityMapping.java#L43\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://igniterealtime.atlassian.net/browse/OF-3122\", \"name\": \"https://igniterealtime.atlassian.net/browse/OF-3122\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://igniterealtime.atlassian.net/browse/OF-3123\", \"name\": \"https://igniterealtime.atlassian.net/browse/OF-3123\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://igniterealtime.atlassian.net/browse/OF-3124\", \"name\": \"https://igniterealtime.atlassian.net/browse/OF-3124\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Openfire is an XMPP server licensed under the Open Source Apache License. Openfire\\u2019s SASL EXTERNAL mechanism for client TLS authentication contains a vulnerability in how it extracts user identities from X.509 certificates. Instead of parsing the structured ASN.1 data, the code calls X509Certificate.getSubjectDN().getName() and applies a regex to look for CN=. This method produces a provider-dependent string that does not escape special characters. In SunJSSE (sun.security.x509.X500Name), for example, commas and equals signs inside attribute values are not escaped. As a result, a malicious certificate can embed CN= inside another attribute value (e.g. OU=\\\"CN=admin,\\\"). The regex will incorrectly interpret this as a legitimate Common Name and extract admin. If SASL EXTERNAL is enabled and configured to map CNs to user accounts, this allows the attacker to impersonate another user. The fix is included in Openfire 5.0.2 and 5.1.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-290\", \"description\": \"CWE-290: Authentication Bypass by Spoofing\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-09-15T20:03:34.341Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-59154\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-09-15T20:11:46.822Z\", \"dateReserved\": \"2025-09-09T15:23:16.327Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-09-15T20:03:34.341Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2025-59154

Vulnerability from fkie_nvd - Published: 2025-09-15 20:15 - Updated: 2025-09-16 12:49

Severity ?

5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/igniterealtime/Openfire/blob/8d073dda36905da0fdee7cb623c025a01a5cbf6b/xmppserver/src/main/java/org/jivesoftware/util/cert/CNCertificateIdentityMapping.java#L43
	security-advisories@github.com	https://github.com/igniterealtime/Openfire/security/advisories/GHSA-w252-645g-87mp
	security-advisories@github.com	https://igniterealtime.atlassian.net/browse/OF-3122
	security-advisories@github.com	https://igniterealtime.atlassian.net/browse/OF-3123
	security-advisories@github.com	https://igniterealtime.atlassian.net/browse/OF-3124

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Openfire is an XMPP server licensed under the Open Source Apache License. Openfire\u2019s SASL EXTERNAL mechanism for client TLS authentication contains a vulnerability in how it extracts user identities from X.509 certificates. Instead of parsing the structured ASN.1 data, the code calls X509Certificate.getSubjectDN().getName() and applies a regex to look for CN=. This method produces a provider-dependent string that does not escape special characters. In SunJSSE (sun.security.x509.X500Name), for example, commas and equals signs inside attribute values are not escaped. As a result, a malicious certificate can embed CN= inside another attribute value (e.g. OU=\"CN=admin,\"). The regex will incorrectly interpret this as a legitimate Common Name and extract admin. If SASL EXTERNAL is enabled and configured to map CNs to user accounts, this allows the attacker to impersonate another user. The fix is included in Openfire 5.0.2 and 5.1.0."
    }
  ],
  "id": "CVE-2025-59154",
  "lastModified": "2025-09-16T12:49:16.060",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 0.7,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-09-15T20:15:39.237",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/igniterealtime/Openfire/blob/8d073dda36905da0fdee7cb623c025a01a5cbf6b/xmppserver/src/main/java/org/jivesoftware/util/cert/CNCertificateIdentityMapping.java#L43"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/igniterealtime/Openfire/security/advisories/GHSA-w252-645g-87mp"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://igniterealtime.atlassian.net/browse/OF-3122"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://igniterealtime.atlassian.net/browse/OF-3123"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://igniterealtime.atlassian.net/browse/OF-3124"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-290"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-W252-645G-87MP

Vulnerability from github – Published: 2025-09-16 01:54 – Updated: 2025-09-16 01:54

Summary

Openfire has potential identity spoofing issue via unsafe CN parsing

Details

Summary

Identity spoofing in X.509 client certificate authentication in Openfire allows internal attackers to impersonate other users via crafted certificate subject attributes, due to regex-based extraction of CN from an unescaped, provider-dependent DN string.

Analysis

Openfire’s SASL EXTERNAL mechanism for client TLS authentication contains a vulnerability in how it extracts user identities from X.509 certificates. Instead of parsing the structured ASN.1 data, the code calls X509Certificate.getSubjectDN().getName() and applies a regex to look for CN=. This method produces a provider-dependent string that does not escape special characters. In SunJSSE (sun.security.x509.X500Name), for example, commas and equals signs inside attribute values are not escaped.

As a result, a malicious certificate can embed CN= inside another attribute value (e.g. OU="CN=admin,"). The regex will incorrectly interpret this as a legitimate Common Name and extract admin. If SASL EXTERNAL is enabled and configured to map CNs to user accounts, this allows the attacker to impersonate another user.

Impact

When there is no explicit configuration override, Openfire defaults to using certificate attributes as follows:

Server-to-server certificates: first the Subject Alternative Name (SAN), and if that is not available, the Common Name (CN).
Client-to-server certificates: only the Common Name (CN).

Use of CN for identity mapping was phased out by the CA/Browser Forum. CAB Forum-compliant CAs no longer allow arbitrary Subject RDNs and always include SANs. As a result, certificates issued by public CAs for use on the open Internet are unlikely to be exploitable, though older certificates still within their validity period could theoretically be abused.

The primary risks exist in private CA environments and client certificate authentication, where identity mapping may rely solely on the CN. Both of these are niche deployment scenarios.

Patches

The path has been prepared by replacing the use of getSubjectDN().getName() with standards-compliant LdapName parsing of the RFC2253 representation of X500Principal. This avoids unescaped provider-dependent strings and prevents regex from matching malicious substrings.

The fix is included in Openfire 5.0.2 and 5.1.0. Users should upgrade to this version as soon as it becomes available.

Starting in Openfire 5.0.2, Openfire will by default prefer a Subject Alternative Name-based identity over a Common Name based one for client-to-server authentication (issue OF-3123). For server-to-server authentication, this already is the case.

In Openfire 5.1.0, Openfire will no longer, by default, use Common Name based identities, although this functionality can be restored through configuration changes (issue OF-3122).

Workarounds

The vulnerability is fixed in the upcoming release, but there are operational mitigations you can apply today.

Full workaround (drop-in replacement JAR using the fixed mapper)

This is a complete workaround: 1. Take the fixed mapper implementation (the code that uses LdapName / RFC2253 parsing) from the patched Openfire source. 2. Create a new Java class in your proprietary namespace (for example com.acme.openfire.SafeCNCertificateIdentityMapping) that implements the same Openfire certificate-identity mapping interface and contains the fixed parsing logic. Ensure the logic exactly mirrors the patched behavior (use X500Principal.getName() with RFC2253 and javax.naming.ldap.LdapName to parse RDNs, do not rely on getSubjectDN().getName() or provider-dependent strings). 3. Package the class into a JAR file. 4. Place the JAR into Openfire’s lib/ directory (e.g. $OPENFIRE_HOME/lib/your-fixed-mapper.jar). 5. Configure Openfire to use your class for mapping by setting the following properties (in the admin console / system properties). Note that it remains advisable to configure Openfire to keep preferring SAN-based identities:

# For server-to-server identity mapping
provider.serverCertIdentityMap.classList=org.jivesoftware.util.cert.SANCertificateIdentityMapping,com.acme.openfire.SafeCNCertificateIdentityMapping

# For client-to-server identity mapping
provider.clientCertIdentityMap.classList=org.jivesoftware.util.cert.SANCertificateIdentityMapping,com.acme.openfire.SafeCNCertificateIdentityMapping

Both properties accept a comma-separated list of fully-qualified class names; listing only your safe mapper forces Openfire to use your implementation instead of the vulnerable built-in mapper. After placing the JAR and updating properties, restart Openfire.

Notes & caveats for the full workaround

This is effectively a complete mitigation for the vulnerable CN-extraction behavior without deploying a new official release.
Maintain the JAR: you are responsible for keeping the custom class updated if you upgrade Openfire to newer major versions.
Ensure your custom mapper truly implements the patched parsing (do not copy the vulnerable getSubjectDN().getName() + regex approach). Use X500Principal → getName(RFC2253) → new LdapName(...) → iterate RDNs in a robust way.
Because this runs in the Openfire JVM, follow your organization’s binary-signing and review policies before deploying.

Other, lesser workarounds

Use SAN-only mapping

Configure the mapper list to only include Openfire’s SAN mapper: org.jivesoftware.util.cert.SANCertificateIdentityMapping. This prevents CN parsing-based spoofing but breaks authentication for certificates that contain only a CN and no SAN.

Disable certificate-based authentication:

For server-to-server, disabling certificate auth leaves only Server Dialback, which is less secure; depending on your environment, this may be a worse trade-off.
For client-to-server, disable “mutual authentication” in the admin console to stop client cert authentication altogether.

References

Openfire issue tracker: OF-3124: Potential identity spoofing via unsafe CN parsing
Affected code: CNCertificateIdentityMapping.java#L43
Openfire issue tracker: OF-3122: Stop by default using Common Name based identities
Openfire issue tracker: OF-3123: For client mutual authentication, prefer Subject Alternative Name for identities

Severity ?

5.9 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.igniterealtime.openfire:xmppserver"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-59154"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-16T01:54:24Z",
    "nvd_published_at": "2025-09-15T20:15:39Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nIdentity spoofing in X.509 client certificate authentication in Openfire allows internal attackers to impersonate other users via crafted certificate subject attributes, due to regex-based extraction of CN from an unescaped, provider-dependent DN string.\n\n## Analysis\n\nOpenfire\u2019s SASL EXTERNAL mechanism for client TLS authentication contains a vulnerability in how it extracts user identities from X.509 certificates. Instead of parsing the structured ASN.1 data, the code calls `X509Certificate.getSubjectDN().getName()` and applies a regex to look for `CN=`. This method produces a provider-dependent string that does not escape special characters. In SunJSSE (`sun.security.x509.X500Name`), for example, commas and equals signs inside attribute values are not escaped.\n\nAs a result, a malicious certificate can embed `CN=` inside another attribute value (e.g. `OU=\"CN=admin,\"`). The regex will incorrectly interpret this as a legitimate Common Name and extract admin. If SASL EXTERNAL is enabled and configured to map CNs to user accounts, this allows the attacker to impersonate another user.\n\n## Impact\n\nWhen there is no explicit configuration override, Openfire defaults to using certificate attributes as follows:\n\n- Server-to-server certificates: first the Subject Alternative Name (SAN), and if that is not available, the Common Name (CN).\n- Client-to-server certificates: only the Common Name (CN).\n\nUse of CN for identity mapping was phased out by the CA/Browser Forum. CAB Forum-compliant CAs no longer allow arbitrary Subject RDNs and always include SANs. As a result, certificates issued by public CAs for use on the open Internet are unlikely to be exploitable, though older certificates still within their validity period could theoretically be abused.\n\nThe primary risks exist in private CA environments and client certificate authentication, where identity mapping may rely solely on the CN. Both of these are niche deployment scenarios.\n\n## Patches\n\nThe path has been prepared by replacing the use of `getSubjectDN().getName()` with standards-compliant `LdapName` parsing of the RFC2253 representation of `X500Principal`. This avoids unescaped provider-dependent strings and prevents regex from matching malicious substrings.  \n\nThe fix is included in Openfire 5.0.2 and 5.1.0. Users should upgrade to this version as soon as it becomes available.  \n\nStarting in Openfire 5.0.2, Openfire will by default prefer a Subject Alternative Name-based identity over a Common Name based one for client-to-server authentication (issue OF-3123). For server-to-server authentication, this already is the case.\n\nIn Openfire 5.1.0, Openfire will no longer, by default, use Common Name based identities, although this functionality can be restored through configuration changes (issue OF-3122).\n \n## Workarounds\n\nThe vulnerability is fixed in the upcoming release, but there are operational mitigations you can apply today.\n\n### Full workaround (drop-in replacement JAR using the fixed mapper)\n _This is a complete workaround:_\n1. Take the fixed mapper implementation (the code that uses LdapName / RFC2253 parsing) from the patched Openfire source.\n2. Create a new Java class in your proprietary namespace (for example `com.acme.openfire.SafeCNCertificateIdentityMapping`) that implements the same Openfire certificate-identity mapping interface and contains the fixed parsing logic. Ensure the logic exactly mirrors the patched behavior (use `X500Principal.getName()` with RFC2253 and `javax.naming.ldap.LdapName` to parse RDNs, do not rely on `getSubjectDN().getName()` or provider-dependent strings).\n3. Package the class into a JAR file.\n4. Place the JAR into Openfire\u2019s lib/ directory (e.g. `$OPENFIRE_HOME/lib/your-fixed-mapper.jar`).\n5. Configure Openfire to use your class for mapping by setting the following properties (in the admin console / system properties). Note that it remains advisable to configure Openfire to keep preferring SAN-based identities:\n```\n# For server-to-server identity mapping\nprovider.serverCertIdentityMap.classList=org.jivesoftware.util.cert.SANCertificateIdentityMapping,com.acme.openfire.SafeCNCertificateIdentityMapping\n\n# For client-to-server identity mapping\nprovider.clientCertIdentityMap.classList=org.jivesoftware.util.cert.SANCertificateIdentityMapping,com.acme.openfire.SafeCNCertificateIdentityMapping\n```\nBoth properties accept a comma-separated list of fully-qualified class names; listing only your safe mapper forces Openfire to use your implementation instead of the vulnerable built-in mapper. After placing the JAR and updating properties, *restart Openfire*.\n\n**Notes \u0026 caveats for the full workaround**\n\n- This is effectively a complete mitigation for the vulnerable CN-extraction behavior without deploying a new official release.\n- Maintain the JAR: you are responsible for keeping the custom class updated if you upgrade Openfire to newer major versions.\n- Ensure your custom mapper truly implements the patched parsing (do not copy the vulnerable `getSubjectDN().getName()` + regex approach). Use `X500Principal` \u2192 `getName(RFC2253)` \u2192 `new LdapName(...)` \u2192 iterate RDNs in a robust way.\n- Because this runs in the Openfire JVM, follow your organization\u2019s binary-signing and review policies before deploying.\n\n### Other, lesser workarounds\n\n#### Use SAN-only mapping\nConfigure the mapper list to only include Openfire\u2019s SAN mapper: `org.jivesoftware.util.cert.SANCertificateIdentityMapping`. This prevents CN parsing-based spoofing but breaks authentication for certificates that contain only a CN and no SAN.\n\n#### Disable certificate-based authentication:\n- For server-to-server, disabling certificate auth leaves only Server Dialback, which is less secure; depending on your environment, this may be a worse trade-off.\n- For client-to-server, disable \u201cmutual authentication\u201d in the admin console to stop client cert authentication altogether.\n\n## References\n\n- Openfire issue tracker: [OF-3124: Potential identity spoofing via unsafe CN parsing](https://igniterealtime.atlassian.net/browse/OF-3124)\n- Affected code: [CNCertificateIdentityMapping.java#L43](https://github.com/igniterealtime/Openfire/blob/8d073dda36905da0fdee7cb623c025a01a5cbf6b/xmppserver/src/main/java/org/jivesoftware/util/cert/CNCertificateIdentityMapping.java#L43)  \n- Openfire issue tracker: [OF-3122: Stop by default using Common Name based identities](https://igniterealtime.atlassian.net/browse/OF-3122)\n- Openfire issue tracker: [OF-3123: For client mutual authentication, prefer Subject Alternative Name for identities](https://igniterealtime.atlassian.net/browse/OF-3123)",
  "id": "GHSA-w252-645g-87mp",
  "modified": "2025-09-16T01:54:24Z",
  "published": "2025-09-16T01:54:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/igniterealtime/Openfire/security/advisories/GHSA-w252-645g-87mp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59154"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/igniterealtime/Openfire"
    },
    {
      "type": "WEB",
      "url": "https://github.com/igniterealtime/Openfire/blob/8d073dda36905da0fdee7cb623c025a01a5cbf6b/xmppserver/src/main/java/org/jivesoftware/util/cert/CNCertificateIdentityMapping.java#L43"
    },
    {
      "type": "WEB",
      "url": "https://igniterealtime.atlassian.net/browse/OF-3122"
    },
    {
      "type": "WEB",
      "url": "https://igniterealtime.atlassian.net/browse/OF-3123"
    },
    {
      "type": "WEB",
      "url": "https://igniterealtime.atlassian.net/browse/OF-3124"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Openfire has potential identity spoofing issue via unsafe CN parsing"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-59154 (GCVE-0-2025-59154)

FKIE_CVE-2025-59154

GHSA-W252-645G-87MP

Summary

Analysis

Impact

Patches

Workarounds

Full workaround (drop-in replacement JAR using the fixed mapper)

Other, lesser workarounds

Use SAN-only mapping

Disable certificate-based authentication:

References

Tags

Sightings

Nomenclature